2021 Call for Code Awards: Live from New York, with SNL’s Colin Jost! Learn more

Aqua Trivy and Starboard for scanning GitLab on IBM Power

Introduction

Aqua Trivy is a simple and comprehensive scanner to detect vulnerabilities in container images, file systems, and Git repositories. It can also help in identifying configuration-related issues. In addition, Trivy scans infrastructure as code (IaC) files such as Terraform, Dockerfile and Kubernetes YAML to detect potential configuration issues that expose your deployments to the risk of attack.

Aqua Starboard is a scanner tool which integrates security tools into the Kubernetes environment, so that users can find and view the risks that relate to different resources in a Kubernetes-native way. Starboard CLI is a single executable binary which can be used to find risks, such as vulnerabilities or insecure pod descriptors, in Kubernetes workloads. By default, the risk assessment reports are stored as custom resources.

Trivy and Starboard for scanning GitLab on IBM Power

Trivy and Starboard have gained a lot of popularity as DevOps vulnerability scanning tools. Many users are interested in using its functionalities on IBM Power, which leads to the need for these tools on Power. Also, GitLab has announced Aqua Trivy and Starboard as their default scanner tools to provide DevOps container security to their customers. You can read more about it in the case study – GitLab Uses Aqua Trivy to Provide Customers with Default DevSecOps Container Security.

Aqua Trivy is officially supported on IBM Power, whereas, Aqua Starboard does not have official support for ppc64le architecture. This tutorial aims at helping users interested in using these scanning tools on IBM Power Architecture for testing GitLab workloads.

Prerequisites

Make sure that the following prerequisites are fulfilled for installing Trivy and Starboard on Power:

  • A stand-alone virtual machine (VM) to build and install Trivy

    The example in this tutorial uses a ppc64le CentOS 8.2 VM. You can use IBM Power Systems Virtual Server service at IBM Cloud or Minicloud to get your ppc64le virtual machine.

  • A ppc64le Red Hat OpenShift Container Platform cluster for building and installing Starboard

    You can deploy a Red Hat OpenShift cluster on IBM Power Virtual Servers using the steps in the Installing Red Hat OpenShift Container Platform 4.x on IBM Power Systems Virtual Servers tutorial.

  • Install Docker and other dependencies on the Power VM.

    wget https://oplab9.parqtec.unicamp.br/pub/ppc64el/docker/version-20.10.2/centos-8/docker-ce-rootless-extras-20.10.2-3.el8.ppc64le.rpm
    
    wget https://oplab9.parqtec.unicamp.br/pub/ppc64el/docker/version-20.10.2/centos-8/docker-ce-20.10.2-3.el8.ppc64le.rpmwget https://oplab9.parqtec.unicamp.br/pub/ppc64el/docker/version-20.10.2/centos-8/docker-ce-cli-20.10.2-3.el8.ppc64le.rpm
    
    wget https://download.docker.com/linux/centos/8/ppc64le/test/Packages/containerd.io-1.4.9-3.1.el8.ppc64le.rpm
    
    yum localinstall docker-ce-rootless-extras-20.10.2-3.el8.ppc64le.rpm docker-ce-cli-20.10.2-3.el8.ppc64le.rpm docker-ce-20.10.2-3.el8.ppc64le.rpm containerd.io-1.4.9-3.1.el8.ppc64le.rpm
    
    service docker start
    
    yum install libseccomp -y
    
  • Install the Go runtime on the Power VM and the Power cluster.

    git clone https://github.com/rpsene/goconfig.git
    
    cd ./goconfig
    
    source ./go.sh install
    

Estimated time

It takes around 30 minutes to install Trivy and Starboard for scanning GitLab workloads and artifacts.

Steps

  1. Build and install Trivy
  2. Scan GitLab artifacts using Trivy
  3. Build Starboard on the Power cluster
  4. Scan GitLab workloads on the Power cluster

1. Build and install Trivy

Run the following commands to build a Trivy image on ppc64le architecture:

git clone https://github.com/aquasecurity/trivy.git

cd trivy

docker build -t quay.io/snehakpersistent/trivy:ppc64le .

This image can be used when you want to use Trivy in a containerized environment. In this tutorial, we will be using it for building Starboard in the next section. This image is available on the quay repository.

Aqua Trivy is easy to use. Just install the binary file and you’re ready to scan. Run the following command to install Trivy on Power:

rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.19.2/trivy_0.19.2_Linux-PPC64LE.rpm

2. Scan GitLab artifacts using Trivy

Trivy detects two types of security issues: Vulnerabilities and misconfigurations.

It can scan the following artifact types:

Let’s begin using Trivy to detect vulnerabilities and misconfigurations in GitLab runner operator on Power.

Example commands for detecting vulnerabilities are as follows:

//Container Image
trivy image registry.gitlab.com/skanekar1/gitlab-runner-operator/gitlab-runner-operator:linux-ppc64le-v0.0.1-259402c6      

//Filesystem
trivy fs /root/gitlab-runner-operator

//Git repository
trivy repo https://gitlab.com/skanekar1/gitlab-runner-operator

Example commands for detecting misconfigurations in the IaC files are as follows:

//Dockerfile
trivy config --severity HIGH /root/gitlab-runner-operator/ci

//Yaml or Terraform
trivy config gitlab-runner-operator/config/manager/

3. Build Starboard on the Power cluster

Starboard can be run in two different modes: Starboard CLI and Starboard Operator. In this tutorial, we focus on the Starboard CLI. Run the following commands to build the Starboard binary file for ppc64le architecture. Internally, it is using the Trivy image for Power that we built in the Build and install Trivy section.

git clone https://github.com/snehakpersistent/starboard.git

git checkout ppc-support

cd starboard/

make

cp bin/starboard /usr/local/bin/

4. Scan GitLab workloads on the Power cluster

The easiest way to get started with Starboard is to use an imperative starboard command, which allows ad hoc scanning of Kubernetes workloads deployed in your cluster.

To begin with, run the following one-time setup command:

starboard init

The init subcommand creates the Starboard namespace, in which Starboard runs Kubernetes jobs to perform scans. It also sends custom security resource definitions to the Kubernetes API.

Let’s begin with scanning the GitLab Runner operator workloads. Run the vulnerability scanner to generate vulnerability reports.

starboard scan vulnerabilityreports deployment.apps/gitlab-runner-runner

Behind the scenes, by default, above command uses Trivy in the stand-alone mode to identify vulnerabilities in the container images associated with the specified deployment. After this is done, you can retrieve the latest vulnerability reports for this workload using the following command:

starboard get vulnerabilities deployment.apps/gitlab-runner-runner -o yaml

Similarly, you can audit Kubernetes configuration of your GitLab workload using the following commands:

starboard scan configauditreports pod/gitlab-runner-runner-7dcd8cc584-rxvwx

starboard get configaudit pod/gitlab-runner-runner-7dcd8cc584-rxvwx -o yaml

This internally uses the Polaris image for scanning configuration of your workloads. Polaris image for ppc64le is built and published on the quay repository.

Summary

This tutorial explained how to install Aqua Trivy and Starboard on IBM Power for scanning GitLab workloads and artifacts. This information can enable users interested in using the functionalities of scanning tools on IBM Power systems.